My query is regarding the journal disk size. The default configuration is 5GB. I am planning to have 100GB of file system on each graylog nodes and planning to assign at least 50GB to message_journal_max_size. Is this a recommended setting? What are the recommended settings or optimal values?
The reason why I am asking this because let’s assume that the journal reaches 40GB if the downstream elastic search was down. When the downstream (elastic search) is back up during dequeuing of messages from the journal will there be any performance impact on the graylog or on the elastic search? Has anybody tested this or has any comments.
as long as you have that space exclusive available to the journal you can configure what suite your setup.
The journal gives you the option to buffer messages as long as elasticsearch is down for maintenance (for example). When ES is back online the messages will be processed from the journal to ES and yes - that will put more load on GL and ES.
In Graylog the messages will be processed and Elasticsearch will then store those messages. But new incoming messages will be placed in the journal (at the end) and after some time the backlog will be processed.
You should not only raise the size of the journal but the max message age too
@jan thanks for your prompt reply and answering my question. Anyways I am going to test this and monitor the performance soon. I will update here whatever my observations will be.
